Two years after General Motors hired its first Chief Product Cyber Security Officer the auto industry released its first ever cybersecurity best practices guide. With the cybersecurity threat expanding rapidly we have to ask ourselves…what’s next?
Cybersecurity is a well-known threat, especially to the auto industry. It is not only the auto dealer’s internal operational and financial systems, but the cars themselves, that pose a cybersecurity threat. As reported by Forbes, it is expected that by the Mid-2020s all new vehicles will have data connections. We have seen significant communication advances between manufacturers and cars. Current products exist where auto dealerships can download and monitor activity of their customers’ vehicles on a real time basis. Faced with statistics like this, now is a more critical time than ever, to take steps to get ahead of hackers.
The rising state of autonomous connected vehicles has made cybersecurity a huge issue in the auto industry. Realizing this threat, the auto industry released their first ever cybersecurity best practices guide in 2016. In this guide the Automotive Information Sharing and Analysis Center (AUTO-ISAC) identified seven key areas where dealers should narrow their focus; governance, risk management, security by design, threat detection and protection, incident response, awareness and training, and information sharing and collaboration. Although challenging, there are steps that auto dealers can take to get and stay ahead of hackers.
Understanding the Unique Financial Nature of the Auto Industry
- According to the Graham Leach-Bliley Act (GLBA), dealerships are considered financial institutions when they are collecting and storing a customer’s financial information in their database(s). This means dealerships have a responsibility to their customers to follow the legislative guidelines for securing their customer’s data.
- Dealers collect personally identifiable financial information when providing financing services. Under the Payment Card Industry’s Data Security Standard (PCI DSS), dealers are responsible for protecting cardholder data.
Challenges and Risks
The nature of the digital age is founded in constant evolution. Which means that security risks are constantly changing, and increasing at an alarming rate. This requires auto dealers to be proactive and adaptable allowing for fraud detection, 24/7 monitoring, and real-time risk assessments.
Examples of risks specific to dealerships:
- Auto Dealerships often operate using cloud based technologies potentially exposing intelligence on vehicle sales and service, potential and existing customer information, etc.
- Autonomous vehicles give hackers the ability to take information such as GPS coordinates, driver’s username and passwords for various in-car applications, or even worse control certain features of the car like cruise control. There is research that shows if a hacker can gain access to a car’s computer network they could completely stop and immobilize a car. As stated by Tyler Shields, a security analyst at Forrester Research "It's one thing to hack someone's laptop and steal their credit card number. It's something totally different to hack someone's car and take out their brakes when doing 80 mph."
What can you do to manage cyber security risks?
A dealership needs to make sure that its cybersecurity efforts are coordinated throughout its entire operational / financial system(s) with a top down approach. As recommended by the National Cyber Security Alliance, a top down approach requires corporate management to lead prioritization of cybersecurity practices. Other ways to mitigate a date breach / cyber security attack:
- Identify the most valuable information you collect from your customers, and the threats and risks facing that information, and their probability of occurrence.
- Assess the damage your dealership could incur if customer data was lost or wrongfully exposed, and your ability to recover.
- Proactively detect any infamous activities on your network.
- Dealerships should continuously monitor their exposure to risk. Information regarding employees, customers, suppliers contractors, etc. may all include sensitive information. What makes this data even more sensitive is how it is stored. When stored on removable media, mobile devices and hard drives it becomes easily transferable into the wrong hands. We recommend that our clients establish safeguards such as encryption and remote device wipe technology.
- Conduct external penetration tests.
- Without a high level of user adoption the most robust cybersecurity program will be limited. We advise our clients on how to implement programs company-wide, so their employees understand the risks, their responsibilities and action that needs to be taken.
- Make sure you understand what risk based scenarios your insurers will cover.
In today's world it is of critical importance that dealership management teams are proactively assessing the company’s current state of cyber security readiness including the ability to identify, protect, detect, respond, and recover from an incident. For more information on how DKB can help view our Automobile Dealership services here.